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Abstract. This paper presents an efficient, combined for- 
mulation of two widely used abstraction methods for bit- 
level verification: counterexample-based abstraction ( CBA ) 
and proof-based abstraction (PBA). Unlike previous work, 
this new method is formulated as a single, incremental SAT- 
problem, interleaving CBA and PBA to develop the ab- 
straction in a bottom-up fashion, ft is argued that the 
new method is simpler conceptually and implementation- 
wise than previous approaches. As an added bonus, proof- 
logging is not required for the PBA part, which allows for a 
wider set of SAT-solvers to be used. 



1 Introduction 

Abstraction techniques have long been a crucial part of 
successful verification flows. Indeed, the success of SAT- 
solving can largely be attributed to its inherent ability to 
perform localization abstraction as part of its operations. 
For this reason so called bug- hunting, or BMC, methods 
can often be applied on a full design directly, thereby de- 
ferring the abstraction work to the SAT-solver. However, 
computing an abstraction explicitly is often more useful for 
hard properties that require a mixture of different transfor- 
mation and proof-engines to complete the verification. 

In our formulation, both CBA and PBA compute a lo- 
calization in the form of a set of flops. An abstracted flop 
is in essence replaced by a primary input (PI), thus giving 
more behaviors to the circuit. Both methods work by ana- 
lyzing, through the use of SAT, a /c-unrolling of the circuit. 
However, they differ as follows: 

CBA works in a bottom-up fashion, starting with an 
empty abstraction (all flops are replaced by Pis) and 
adding flops to refute the counterexamples as they are 
enumerated for successively larger k. 

PBA, in contrast, considers the full design and a com- 
plete refutation of all counterexamples of depth k (in 
the form of an UNSAT proof). Any flop not syntacti- 
cally present in the proof of UNSAT is abstracted. 

The two methods have complementary strengths: CBA by 
virtue of being bottom- up is very fast, but may include 
more flops than necessary. PBA on the other hand does a 
more thorough analysis and almost always gives a tighter 
abstraction than CBA, but at the cost of longer runtime. 



In this work, it is shown how the two methods can be 
seamlessly combined by applying PBA, not on the full de- 
sign, but on the latest abstraction produced by CBA. This 
solution has a very elegant incremental SAT formulation, 
which results in a simple, scalable algorithm that has the 
strength of both methods. 

In the experimental section it is shown how a design with 
40,000 flops and 860,000 AND-gates is localized to a hand- 
ful of flops in just 4 seconds (much faster than any previ- 
ous method), and how this abstraction is instantaneously 
solved by the interpolation-based proof-engine |10j . whilst 
the original unabstracted design took 2 minutes to verify, 
despite the inherent localization ability of interpolation. 

2 Related Work 

Counterexample-based abstraction was first introduced by 
Kurshan in [8] and further developed by Clarke et. al. in 
[3]. Proof-based abstraction was coined by McMillan [llj . 
and independently proposed by Gupta et. al in [7]. 

The work most closely related to ours is Gupta's work 
of [7J and McMillan et. al's work of 1 . In both ap- 
proaches, abstract counterexamples are concretized using 
a SAT-solver. When concretization fails, the UNSAT proof 
guides the abstraction refinement. Our work does not rely 
on a SAT-solver to refute counterexamples, but instead uses 
a simpler and more scalable method based on ternary sim- 
ulation (section H3J ■ 

Gupta's approach does not rely on BDD reachability to 
produce abstractions; although BDDs are used to form a 
complete proof-procedure. Like our method, it tries to limit 
the amount of logic that is put into the SAT-solver when 
unrolling the circuit, thereby improving scalability. It dif- 
fers, though, in that the initial unrolling is done on the 
concrete design (our method starts with an empty abstrac- 
tion), and that PBA is used to shrink the abstract model 
in a more conservative manner, requiring the PBA result 
to stabilize over several iterations. 

The work of McMillan et. al. mixes PBA for refut- 
ing all counterexamples of length k with proof-analysis of 
counterexamples from the BDD engine, refuting individual 
(or small sets of) counterexamples. Unlike Gupta's work, 
BDDs are an integral part of the abstraction computation. 

The approach proposed in this paper differs further from 



previous work in that it does not constitute a complete 
proof-procedure. There are many different ways of using 
an abstraction method as part of a verification flow. A 
simple use-model would be: Run the abstraction computa- 
tion until some resource limit is reached, then output the 
best abstraction found so far and put the method on hold. 
If the abstraction turns out not to be good enough for the 
downstream flow, resume abstraction computation with a 
higher resource limit, and produce a more refined abstrac- 
tion. Obviously, this use-model can be further improved by 
multi-threading on a multi-core machine. 

In the experimental evaluation, we choose to pass ab- 
stractions to an interpolation-based proof-engine. This par- 
ticular setup relates to the work of [9] and [2]. 

3 Assumptions and Notation 

In the presentation, the following is assumed: 

- The design is given as a set of next-state functions 
expressed in terms of current state variables (flops) and 
primary inputs (Pis). 

- The design has only one property, which is a safety 
property. 

- All flops are initialized to zero, and are running on the 
same clock (hence acting as unit delays). 

It is further assumed that the logic of the next-state func- 
tions is represented as a combined And-Inverter-graph, with 
the single property being the output of a particular And- 
gate. As customary, the negation of the property is referred 
to as the bad signal. 

An "abstraction" is identified with a set of flops. If a flop 
is not part of the abstraction, it is treated as a PI in the 
abstract model of the design. By this semantics, adding a 
flop to the current abstraction means concretizing it in the 
abstract model: replace the PI by a flop and connect it to 
the appropriate input signal. 

4 Algorithm 

How does the proposed algorithm work? It starts by assum- 
ing the empty abstraction, treating all flops as Pis. It then 
inserts one time-frame of the design into the SAT-solver, 
and asks for a satisfying assignment that produces True 
at the bad signal. The SAT-solver will come back SAT0 and 
the counterexample is used to concretize some of the flops 
(= CBA). When enough flops have been concretized, the 
SAT-problem becomes UNSAT, which means that all coun- 
terexamples of length have been refuted (unless there is 
a true counterexample of length zero) . The algorithm can 
now move on to depth 1, but before doing so, any flop that 
did not occur in the UNSAT proof is first removed from 
the abstraction (= PBA). The procedure is repeated for 
increasing depths, resulting in an incremental sequence of 
SAT calls that looks something like 

1 The very first query only comes back "UNSAT" if the property 
holds combinationally, a corner case we ignore here. 



depth 0: SAT, SAT, SAT, SAT, UNSAT 

depth 1: SAT, UNSAT 

depth 2: SAT, SAT, SAT, UNSAT 



with each sequence of calls at a given depth ending in an 
"UNSAT" result that prunes the abstraction built up by 
analyzing the preceding "SAT" counterexamples. 

The algorithm terminates in one of two ways: either (i) 
CBA comes back with the same set of flops as were given to 
it, which means we have found a true, justified counterex- 
ample, or (ii) it runs out of resources for doing abstraction 
and stops. The resulting abstraction is then returned to the 
caller to be used in the next step of the verification process. 

4.1 Counterexample-based refinement 

Assume that for the current abstraction A the last call to 
SAT returned a counterexample of length k. The coun- 
terexample is then analyzed and refined by the following 
simple procedure^ in order to refute it: 

CBA refinement. Loop through all flops not in A. 
Replace the current value of the counterexample with 
an X (the undefined value) and do a three- valued simu- 
lation. If the X does not reach the bad signal, its value 
is unimportant for the justification of the counterexam- 
ple, and the corresponding flop is kept as a PI. If, on the 
other hand, X propagates all the way to bad, we undo 
the changes made by that particular X-propagation and 
add the corresponding flop to A. 

The order in which flops are inspected does matter for the 
end result. It seems like a good idea to consider multiple 
orders and pick the one producing the smallest abstraction. 
But in our experience it does not improve the overall algo- 
rithm. The extra runtime may save a few flops temporarily, 
but they are typically added back in a later iteration, or re- 
moved by PBA anyway, resulting in the same abstraction 
in the end. 

4.2 Incremental SAT 

Incremental SAT is not a uniquely defined concept. The 
interpretation used here is a solver with the following two 
methods: 

- addClause(literals): This method adds a clausal con- 
straint, i.e. (po V Pi V . . . V Pn-i) where pi G literals, to 
the SAT-solver. The incremental interface allows for 
more clauses to be added later. 

solveSat(assumps): This method searches for an as- 
signment that satisfies the current set of clauses under 
the unit assumptions assumps = ao A aj A . . . A a„_i. 
If there is an assignment that satisfies all the clauses 
added so far, as well as the unit literals a^, that model 

2 This procedure (implemented by Alan Mishchenko in ABC [6]), 
has been independently discovered by one of our industrial collabora- 
tors, and probably by others too. A similar procedure is described in 



is returned. If, on the other hand, the problem is UN- 
SAT under the given assumptions, the subset of those 
assumptions used in the proof of UNSAT is returned 
in the form of a final conflict clause. 

The extension of solveSatQ to accept a set of unit literals 
as assumptions, and to produce the subset of those that 
were part of the UNSAT proof, can easily be added to any 
modern SAT-solver[f| This is in contrast to adding proof- 
logging, which is a non-trivial endeavor. For that reason, 
the proposed algorithm is stated entirely in terms of this 
interface and does not rely on generating UNSAT proofs. 

4.3 Refinement using activation literals 

Unlike the typical implementation of PBA, this work uses 
activation literals, rather than a syntactic analysis of reso- 
lution proofs, to determine the set of flops used for proving 
UNSAT. For each flop / that is concretized, a literal a 
is introduced in the SAT-instance. As the flop input /j„ 
at time-frame k is tied to the flop output at time-frame 
k + 1, the literal is used to activate or deactivate propaga- 
tion through the flop by inserting two clauses stating: 

a^(f[k + l]^ f in [k]) 

The set of activation literals is passed as assumptions to 
solveSatQ, and for UNSAT results, the current abstrac- 
tion can immediately be pruned of flops missing from the 
final conflict clause returned by the solver. 

This PBA phase is very affordable. The same SAT- 
problem would have to be solved in a pure CBA based 
method anyway. The cost we pay is only that of propa- 
gating the assumption literals. Because abstractions are 
derived in a bottom-up fashion, with the final abstraction 
typically containing just a few hundred flops, the overhead 
is small. 

5 Implementation 

This section describes the combined abstraction method in 
enough detail for the reader to easily and accurately re- 
produce the experimental results of the final section. The 
pseudo-code uses the following conventions: 

- Symbol &: indicates pass-by-reference. 

- The type Vec(T) is a dynamic vector whose elements 
are of type T. 

- The type Netlist is an extended And-Inverter-graph. 
It has the following gate types: And, PI, Flop, 
Const. Inverters are represented as complemented 
edges. Flops act as unit delays. Every netlist N, has a 
special gate JV. True of type Const. 

3 Two simple things should be done: (i) the decision heuristic has 
to be changed so that the first n decisions are made on the assumption 
literals; and (ii) if a conflict clause is derived that contradicts the set 
of assumptions, that clause has to be further analyzed back to the 
decision literals rather than the first UIP. For more details, please 
review the analyzeFinal() method of MiniSAT [5]. 



- The type Wire represents an edge in the netlist. Think 
of it as a pointer to a gate plus a "sign" bit. It serves 
the same function as a literal w.r.t. a variable in SAT. 
Function sign(w) will return True if the edge is com- 
plemented, False otherwise. By wo and w\ we refer 
to the left and right child of an AND-gate. By uii n we 
refer to the input of a flop. 

- The type WSet is a set of wires. 

- The type WMap(T) maps wires to elements of type 
T. For practical reasons, the sign bit of the wire is 
not used. For map m, m[w] is equivalent to m[-iw]. 
Unmapped elements of m are assumed to go to a dis- 
tinct element TJUndef (e.g. litJJndef for literals, 
or wireJJndef for wires). 

- The type lbool is a three- valued boolean that is either 
true, false, or undefined, represented in the code by: 

LBOOL_0, LBOOL_l, LBOOL_X. 

- Every SAT-instance S (of type SatSolver) has a spe- 
cial literal S. True which is bound to true. Method 
S.newLitQ creates a new variable and returns it as 
a literal with positive polarity. Clauses are added by 
S.addClauseQ and method S.satSolveQ commences 
the search for a satisfying assignment. 

Because the pseudo-code deals with two netlists N and F, 
wire-types are subscripted WireN and WireF to make clear 
which netlist the wire belongs to. The same holds for WSet 
and WMap. 

5.1 BMC Traces 

To succinctly express the SAT analysis of the unrolled de- 
sign, the class Trace is introduced (see Figure [T]) . It al- 
lows for incrementally extending the abstraction, as well 
as lengthening the unrolled trace. Its machinery needs the 
following: 

- A reference N to the input design (read-only). 

- A set of flops abstr, storing the current abstraction. 
Calling extendAbsQ will grow this set. Calling 
solveQ may shrink it through its built-in PBA. 

- A netlist F to store the unrolling of N under the cur- 
rent abstraction. Gates are put into F by calling in- 
sert(frame, w). Only the logic reachable from gate w 
of time-frame frame is inserted. For efficiency, netlist 
F is kept structurally hashed. 

- A SAT-instance S to analyze the logic of F. Call- 
ing solve(fidisj) will incrementally add the necessary 
clauses to model the logic of F reachable from the 
set of wires f-disj. The user of the class does not 
have to worry about how clauses are added; hence 
clausifyQ is a private method. The SAT-solving will 
take place under the assumption /o V f \ V ... V f n -i- 
The method solveQ has two important side-effects: 



class Trace { 

- Private variables: 

Netlist& N; 

Netlist F; 

SatSolver S; 

WSetN abstr; - publicly read-only 

Vec{WMap N (Wire F >> nBf; 
WMap F (Lit) f2s; 
WMapN(Lit) act Jits; 

- Private functions: 

Lit clausify (WireF /); 

void insertFlop (int frame, WireN w_flop, WircF /); 

- Constructor: 

Trace (Netlist& TV); 

- Public functions: 

WireF insert (int frame, WireN ui); 
void extendAbs (WireN w_fiop); 
bool solve (WSetF f-disj); 

Cex getCex (int depth); 

}; 

class Cex {...}; - stores a counter-example 



Figure 1. Interface of the "Trace" class. The class handles 
the BMC unrolling of the design N. Netlist F will store the 
structurally hashed unrolling of TV. SAT-solver S will store a 
CNF representation of the logic in F. 

- For satisfiable runs, the satisfying assignment is 
stored so that getCex() can later retrieve it. 

- For unsatisfiable runs, the flops not participating 
in the proof are removed from the current abstrac- 
tion. 

- Maps n2f and f2s. Expression u n2f[d][w}" gives the 
wire in F corresponding to gate w of TV in frame d. 
Expression "/2s[/]" gives the literal in S corresponding 
to gate / of F. 

- Map act Jits. Expression u actJits[w_flop] gives the ac- 
tivation literal for flop w-flop, or wire_Undef if none 
has been introduced. 

5.2 The main procedure 

The main loop of the abstraction procedure is given in Fig- 
ure [U Trace instance T is created with an empty abstrac- 
tion. For increasing depths, the following is done: 

- If the SAT-solver produces a counterexample, it is an- 
alyzed (by refine AbstractionQ) and flops are added 
to the abstraction to rule out this particular counterex- 
ample. 

- If UNSAT is returned, the depth is increased. The 
solveQ method will have performed proof-based ab- 
straction internally and may have removed some flops 
from the abstraction. 



For each new depth explored, a new bad signal is added 
to bad-disj. This disjunction is passed as an assumption to 
the solve method of T, which means we are looking for a 
counterexample where the property fail in at least one time 
frame. It is not enough to just check the last time frame 
because of PBA. 

5.3 Unrolling and SAT solving 

Figure [3] details how insertQ produces an unrolling of TV 
inside F, and Figure 0] describes how solveQ translates the 
logic of F into clauses and calls SAT. Great care is taken 
to describe accurately what is implemented, as the precise 
incremental SAT formulation is important for the perfor- 
mance and quality. For the casual reader who may not want 
to delve into details, the following paragraph summarizes 
some properties of the implementation: 

As the procedure works its way up to greater and greater 
depth, only the logic reachable from the bad signal is intro- 
duced into the SAT-solver, and only flops that have been 
concretized bring in logic from the preceding time-frames. 
Constant propagation and structural hashing is performed 
on the design, although constants are not propagated across 
time-frames due to proof-based abstraction (PBA). Con- 
crete flops are guarded by activation literals, which are used 
to implement PBA. One literal guards all occurrences of one 
flop in the unrolling. Flops that are removed by PBA will 
not be unrolled in future time-frames. However, fanin-logic 
from removed flops will remain in F and in the SAT-solver, 
but is disabled using the same activation literals. 

6 Evaluation and Conclusions 

The method of this paper was evaluated along two dimen- 
sions: (i) how does the new abstraction procedure fare in 
the simplest possible verification flow, where a complete 
proof-engine (in this case interpolation [10 ) is applied to 
its result versus applying the same proof-engine without 
any abstraction; and (ii) how does it compare to previous 
hybrid abstraction methods — in our experiments, the im- 
plementation of CBA and PBA inside ABC [5], and the 
hybrid method of McMillan et. al. pQ. 

The examples used were drawn from a large set of com- 
mercial benchmarks by focusing on designs with local prop- 
erties containing more than 1000 flopso Experiments were 
run on an 2 GHz AMD Optcron, with a timeout of 500 
seconds. The results are presented in Table Q] 

For all methods, the depth was increased until an abstrac- 
tion good enough to prove the property was found. ABC 
has a similar CBA implementation to the one presented 
in this work (based on ternary simulation), but restarts the 
SAT-solver after each refinement. ABC's PBA procedure is 
separate from CBA, so we opted for applying it once at the 
end to trim the model returned by CBA. This flow was also 

4 In other words, we've picked examples for which abstraction 
should work well. There are many verification problems where ab- 
straction is not a useful technique, but here we investigate cases where 
it is. 



WSetN tbl Cex combinedAbstraction(Netlist N) { 

Trace T(N); 

WireN bad — -^N.getPropertyQ; 
WSet F bad.disj = 0; 

for (int depth — 0;;) { 

if ({reached resource limit}) 
return T.abstr; 

bad_disj = bad_disj U {T.insert(depth, bad)}; 

if (T.solve(bad_disj)) { - Found counter-example; refine abstraction: 
int n_flops = T.abstr.sizeQ; 
refine Abstraction (T, depth, bad); 

if (T.abstr.sizeQ == n_flops) - Abstraction stable counter-example is valid: 
return T.getCex(depth); 

}else 

depth++; 

} 

} 

void refineAbstraction(Tra,ce&: T, int depth, WireN bad) { 
Cex cex — T.getCex(depth); 

Vec(WMapN(lbool)) sim — simulate Cex (T.N, T.abstr, cex); - 'sim[d][w]' = value if gate 'w' at frame 'd' 
WSetN to_add; 

for all flops w not in T.abstr { 

for (int frame = 0; frame < depth; frame++) { 

simPropagate(sim, T.abstr, frame, w, LBOOL_X); 

if (sim[depth][bad] == LBOOL_X) { 

- 'X' propagated all the way to the output; undo simulation and add flop to abstraction: 

for (; frame > 0; frame ) 

simPropagate(sim, T.abstr, frame, w, cex.flops[frame][w\); 
to_add = to-add U {w}; 
break; 

} 

} 

} 

for w G to_add 

T. extend A bs(w); 

} 

Vec(WMapN(lbool)) simulate C ex (Netlist N, WSetN abstr, Cex cex) { 

return {ternary simulate counter-example 'cex' on 'N' under abstraction 'abstr') 

} 

void simPropagate(Vec{ WMapN{lbool})& sim, WSetN abstr, int frame, WireN w, lbool value) { 
{incrementally propagate effect of changing gate 'w' at time-frame frame' to 'value') 

} 



Figure 2. Main procedure. Function combinedAbstractionQ takes a netlist and returns either (i) a counter-example (if the 
property fails) or (ii) the best abstraction produced at the point where resources were exhausted. We leave it unspecified what 
precise limits to use, but examples include a bound on the depth of the unrolling, the CPU time, or the number of propagations 
performed by the SAT solver. Function refine Abstraction^) will use the latest counterexample stored in T (by solveQ, if the 
last call was SAT) to grow the abstraction. Ternary (or A"-valued) simulation is used to shrink the support of the counterexample. 
Abstract flops that could be removed from the support (i.e. putting in an X did not invalidate the counterexample) are kept 
abstract; all other flops are concretized. When simulating under an abstraction, abstract flops don't use the value of their input 
signal, but instead the value of the counterexample produced by the SAT solver (where the flop is a free variable) . 
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2.5 


2.1 


4.4 


34.4 


11.9 


20.0 


36.2 


12.1 


34.6 


FO 


863,248 


40,849 


3 


3 


3 




1.0 


2.0 


3.5 




0.0 


0.0 


0.0 




48.2 


Fl 


863,251 


40,850 


4 


8 


4 




1.5 


4.7 


7.0 




0.0 


2.2 


0.0 




100.6 


F2 


863,254 


40,851 


5 


9 


5 




3.9 


6.1 


9.4 




0.0 


2.4 


0.0 




110.1 



Table 1. Evaluation of abstraction techniques. Four implementations of hybrid counterexample- and proof-based abstraction were 
applied to 22 benchmarks of more than 1000 flops, all for which the property holds. In New', PBA was only applied to the final 
iteration (to be closer to the ABC implementation) . The first section of the table shows the size of the designs. The second section 
shows, for each implementation, the size of the smallest abstraction it produced that was good enough to prove the property. The 
third and fourth sections show the time to compute the abstraction, and the time to prove the property using interpolation based 
modelchecking, with the very last column showing interpolation on the original unabstracted design. Benchmarks with the same 
first letter denote different properties of the same design. Timeout was set to 500 seconds. 

simulated in our new algorithm by delaying the PBA filter- 
ing until the final iteration (reported in column New'). This 
approach is often faster due to the fewer CBA refinement 
steps required, but there seems to be a quality/effort trade- 
off between applying PBA at every step, or only once at the 
end. In particular for the S series, interleaved CBA/PBA 
resulted in significantly smaller abstractions. We have ob- 
served this behavior on other benchmarks as well. 

The McMillan hybrid technique was improved by replac- 
ing BDDs with interpolation, which led to a significant and 
consistent speedup. However, our new method, and the 
similar techniques of ABC, still appear to be superior in 
terms of scalability. This is most likely explained by the 
expensive concretization phase of the older method, which 
requires the full design to be unrolled for the length of the 
counterexample. 

The effect of an incremental implementation can be seen 
by comparing columns New' and ABC. We have observed 
that the speedup tends to be more significant for harder 
problems with higher timeouts. 

The overall conclusion is that small abstractions help the 
proof-engine. However, there are cases where a tighter ab- 
straction led to significantly longer runtimes than a looser 
one (although that effect did not manifested itself in this 
benchmark set). This can partly be explained by the under- 
lying random nature of interpolant-based model checking, 
but it should also be recognized that replacing flops with 
Pis introduces more behaviors, which means the SAT-solver 
has to prove a more general theorem. Occasionally this can 



be detrimental, and offset the benefit of the reduced amount 
of logic that needs to be analyzed. Altogether, it empha- 
sizes that abstraction should be used in good orchestration 
with other verification techniques. 
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Trace:: IVace(Netlist& NO) { 
N = NO; 

f2s[F.True] = S.True; 

} 

WireF Trace:: insert (int frame, WireN w) { 
WireF ret — n2f \frame] [w] ; 
if (ret == wire_Undef) { 

if (w == N.True) { ret = F. True; } 

else if (type(w) == PI) { ret = F.add_PI(); } 

else if (type(w) == And) { ret = F.add_And(insert(frame, wo), insert(frame, wi)); } 
else if (type(w) == Flop) { ret — F.add_PI(); if (w 6 abstr) insertFlop (frame, w, ret); } 
n2f[frame][w] — ret; 

} 

return ret " sign(w); - interpretation: (w ~ b) = (b ? ->w : w) 

} 

void Trace: -.insertFlop (int frame, Wire N w_flop, WireF /) { 

WireF fjn = (frame == 0) ? -^F.True : insert (frame — 1, w in ); 
Lit p — clausify(f_in); 
Lit q — clausify(f); 
Lit a = actJits[w-flop]; 
if (a == lit_Undef) { 

a = S.newLit(); 

act_lits[w_flop] — a; } 
S.addClause({-^a, ->p, q}); 

S.addClause({-^a, p, -<q}); - we've now added: a —¥ (p q) 

} 

void Trace: .extendA bs (WireN W-flop) { 
abstr = abstr U {w_flop}; 

for (int frame — 0; frame < n2f.size(); frame++) { 
WireF / = n2f[frame][w_flop]; 

if (/ != wire_Undef) ~ f is either undefined or a PI 

insertFlop (frame, w_flop, /); 

} 

} 



Figure 3. Unrolling the netlist. Method insertQ will recursively add the logic feeding w to netlist F. Flops that are concrete 
will be traversed across time-frames, but not abstract flops. Each flop that is introduced to F is given an activation literal. If this 
literal is set to True, the flop will connect to its input; if it is set to False, the flop acts as a PI. Activation literals are used to 
implement the proof-based abstraction, and to disable flops when the abstraction shrinks. At frame 0, flops are assumed to be 
initialized to zero. The purpose of extendAbsQ is to grow the abstraction by one flop, adding the missing logic for all time frames. 



Lit Trace: :clausify{ WireF /) { 

Lit ret = f2s[f]; - map ignores the sign of '/' 

if (ret == litJJndef) { 
if (type(f) == PI) 

ret — S.newLitQ; 
else if (type(f) == And) { 

- Standard Tseitin clausification 
Lit x = clausify(fo); 
Lit y = clausify(f 1 ); 
ret — S.newLitQ; 
S.addClause({x, ->ret}); 
S.addClause({y, -^ret}); 
S.addClause({^x, -iy, ret}); 

} 

f2s[f] = ret; 

} 

return ret ' sign(f); 

} 

bool Trace: :soZ«e(WSetF f-disj) { 
Lit q = S.newLitQ; 

S.addClause({^q} U {clausify(f) \ f £ f_disj}); 

assumps = {q} U [actjits[w] \ actjits[w] != LIT_Undef && w £ abstr}; 

bool result = S.solve(assumps); 
if (result) {store SAT model) 

else abstr — abstr \ {w \ type(w) == Flop && w ^ S. conflict}; - this line does PBA 

S.addClause({^q}); -forever disable temporary clause 
return result; 

} 

Cex Trace::getCea;(int depth) { 

return {use maps 'n2f and 'f2s' to translate the last SAT model 

into 0/1 /X values for the Pis and Flops of frames 0.. depth) 

} 



Figure 4. SAT-Solving. Method clausifyQ translates the logic of F into CNF for the SAT-solver using the Tseitin transformation. 
The above procedure can be improved, e.g., by the techniques of [4] [12]. Method solveQ takes a disjunction of wires in F and 
searches for a satisfying assignment to that disjunction. Because only unit assumptions can be passed to solveSatQ, a literal q is 
introduced to represent the disjunction, and a temporary clause is added. Disabling the clause afterwards will in effect remove it. 
The activation literals of the current abstraction are passed together with q as assumptions to solveSatQ. The SAT-solver will give 
back either a satisfying assignment (stored for later use by getCexQ), or a conflict clause expressing which of the assumptions were 
used for proving UNSAT. This set is used to perform PBA. In computing assumps, we note that "&& w £ abstr" is necessary if 
PBA has shrunken the abstraction. In the experimental section, a variant (column New' in Table[TJ is evaluated where PBA is not 
applied inside solveQ. The set of redundant flops is still computed as above, and remembered. When the resource limit is reached, 
those flops that were redundant in the final UNSAT call are removed. In essence, the variant corresponds to an incremental CBA 
implementation with a final trimming of the absraction by PBA. 
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